A couple of days ago, my colleagues reported an attack that appears to be targeted and that involves email messages sent through a Webmail service. Upon further investigation, we were able to confirm that this attack exploits a previously unpatched vulnerability in Hotmail. Trend Micro detects the malicious email messages as HTML_AGENT.SMJ.

The said attack simply requires the targeted user to open the specially crafted email message, which automatically executes the embedded script. This then leads to the theft of critical information, specifically email messages and information about the affected user’s personal contacts. The stolen email messages may contain sensitive information that cybercriminals can use for various malicious routines.

The script connects to http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} to download yet another script.

The nature of the said URL strongly suggests that the attack is targeted. The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field.

The URL leads to another script detected by Trend Micro as JS_AGENT.SMJ. The script triggers a request that is sent to the Hotmail server. The said request sends all of the affected user’s email messages to certain email addresses. The email message forwarding, however, will only work during the session wherein the script was executed and will stop once the user logs off.

The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail (CVE-2011-1252). Microsoft has already taken action and has updated Hotmail to fix the said bug.

We analyzed the embedded crafted code before the actual email message’s content and discovered that once Hotmail’s filtering mechanism works on the code, it ironically helps inject a character into the CSS parameters to convert the script into two separate lines for further rendering in the Web browser’s CSS engine. This allows the cybercriminals to turn the script into something that allows them to run arbitrary commands in the current Hotmail login session.

The malicious scripts and the URL related to this attack are all already being detected and blocked by the Trend Micro™ Smart Protection Network™ file and Web reputation technologies. Microsoft has already acknowledged the presence of the vulnerability and has released a security update to address the issue.